FinOps Center's Installation Components

The installation of FinOps Center requires configuring your AWS Cloud Estate within the Management Account and the Delegated Admin Account or Data Collection where the application will be installed.

Pre-Requisite Task (~1hr)

Tasks in Management Account

• Create Cost and Usage Report via Data Exports - via CID Framework

• Create S3 Bucket for Cost and Usage Report - via CID Framework

• Create IAM Role for S3 Bucket Replication - via CID Framework

• S3 Management setup of Bucket Replication and Batch Operation (optional)

• Enable Delegated Admin Account (suggest configured via AWS Organizations, Security Hub, or IAM Identity Center).

Assess Requirement

1. Admin - creating IAM Role

Tasks in Designated Admin/ Date Aggregation (~1hr)

1. Create Target Bucket for the Cost and Usage Report via Data Exports - via CID Framework.

2. Create S3 Bucket for Bucket Replication and Frontend Application

3. Configure S3 Buckets with CloudFront

4. Launch and Configure QuickSight

Access Requirement

1. Admin as the CFT create IAM roles

FinOps Center may take ~8 Hrs to load all Cost and Usage Data and 1 Day for Cost Recommendations.

Cloud Estate Design

When preparing for your FinOps Center installation, it's important to consider the design elements related to both your Cloud Estate and the AWS account for your FinOps Center installation.

Aligned with the Multi-Account Strategy, FinOps Center is designed to facilitate the management of your AWS Cloud Estate through the Delegated Admin Account. A Delegated Admin Account may already be created and configured in your Cloud Estate as you set up various AWS Management and Security services like Security Hub and IAM Identity Center.

FinOps Center runs on 100% native AWS Services and is deployed via CloudFormation. FinOps Center is access management services to assist with integrated with core AWS Plaftorm services to simplify AWS Cloud Financial Management.

FinOps Center utilizes the Cost and Usage Data Export report created in the Management Account and replicated to the Delegated Admin. It was designed to work alongside the Cloud Intelligence Dashboard framework, which must be installed prior to the FinOps Center installation.

To subscribe to the FinOps Center, the subscription must be initiated and installed from the Designated Admin Account through the AWS Marketplace.

FinOps Center leverages the work from AWS CID Framework that so customer can leverage the Various QuickSight Dashboards created by the OPTICS Team. Scripts need to be run in both the Management and Data Collection Account.

https://docs.aws.amazon.com/guidance/latest/cloud-intelligence-dashboards/deployment-in-global-regions.html UPDATED Location

To enable the Cost Recommendation Process and Data, the Cost Optimizaton Recommendations need to be enables in both the Master Payer and Data Collector Account (FinOps Center Account).

Once the CloudFront Distribution is created, the distribution needs to be configured in your DNS.

If in your DNS is in Route53, add the subdomain the distribution

If in alternative DNS Server, add the distrbution as a CNAME

Within your CloudFront Distribution, add customer error response of 403 to / index.html withwith HTTP Response of 200 OK

FinOps Center Front End Application is deployed to and is served from S3.

Navigate to S3 and Create a new S3 Bucket in US-East-1 (N. Virginia)

Upon navigating to CloudFront, create a new distributions.

Updated for new AWS UI

Create a name for your Distribution and Add your cusotmer Domain. Note: it will try to validate the URL but select Skip for Now.

Level the S3 Selection and Select the Browse S3

Select your bucket and Select Choose

Leave the Origin Path to Default and Select Next

AWS Account w/ Delegated Admin

The New Account Onboarding Process for FinOps Center is facilitated by access to the Account Management API in the Management Account. Within an AWS Cloud Estate, one account can be configured to be Delegated Admin and is the account FinOps Center is installed.

Steps to Create Delegated Admin if not created

1. Creation of New Account - Customers are advised to create an account (if not existing already) that requires Delegated Admin privileges, particularly for services like Security Hub and Systems Manager. While the naming convention is flexible, this account is referred to as the CloudOps Account by Cloud Scal3.

1. Enablement via Security Hub- Follow the instructions provided for enabling an account to be delegated Admin via Security Hub Setup. This involves configuring the Delegated Admin Account through Security Hub.

By following these steps, the integration for Account to Budget onboarding through FinOps Center is facilitated efficiently and securely.

Add the Domain for the FinOps Center Applicatoin and select the DNS Validation

Save the CNAME name and CNAME Value

Logi into Route 53 Account (likely Management Account)

Navigate to your Hosted Zone and Create a new A Record

Add the DNS Entries to the subdomain from the what was saved and the Value to Validate the SSL Certificate.

In approxiately 5 to 10 minutes the Certificate in the FinOps Center Account will show as Validated and able to be added to Distbitution.